ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

LogEase Search

v1.1.0

通过日志易平台支持安全告警、网络设备和系统日志的关键词实时搜索与聚合分析,限定相对时间范围和最多100条返回。

0· 89·0 current·0 all-time
by@x1nq

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for x1nq/logeasy-search.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "LogEase Search" (x1nq/logeasy-search) from ClawHub.
Skill page: https://clawhub.ai/x1nq/logeasy-search
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install logeasy-search

ClawHub CLI

Package manager switcher

npx clawhub@latest install logeasy-search
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description and the included code (log search, aggregation, anomaly detection) are coherent with a log-search tool. However, the SKILL metadata declares no required env vars or credentials while SKILL.md embeds a BasicAuth credential (admin:MIma@sec2025) and internal IP (http://10.20.51.16). The shipped server code also expects LOGEASE_* env vars. The presence of hardcoded internal targets and credentials with no declared environment requirements is disproportionate and inconsistent.
!
Instruction Scope
SKILL.md instructs direct HTTP access to an internal IP using embedded BasicAuth credentials and recommends running included Python scripts. The runtime instructions therefore direct network calls with secrets. The repository code also contains logic to load .env files and an absolute filesystem path to an OpenAPI YAML in the developer's Downloads folder (fs.readFileSync('/Users/rizhiyi/...')), indicating the package will attempt to read local files—scope creep beyond a simple query helper. Instructions and code could access local .env, config, and internal network resources.
Install Mechanism
No install spec is provided (instruction-only), which is lower install-risk. But the package contains many executable JS/TS and Python files (server components, client code, scripts). Although nothing is declared to be installed, those files could be executed by the agent runtime. The mismatch between 'no install' and presence of full server/client code is a maintenance/packaging inconsistency and increases risk if the platform auto-executes bundled code.
!
Credentials
The skill does not declare required env vars, yet code reads LOGEASE_BASE_URL, LOGEASE_AUTH_HEADER, LOGEASE_API_KEY, LOGEASE_TLS_REJECT_UNAUTHORIZED and also loads .env files. SKILL.md hardcodes an admin username/password for an internal host (exposed secret). Requiring or embedding internal credentials and offering defaults for internal IPs is disproportionate for a third-party skill and could enable network access or credential misuse. The code also accepts disabled TLS verification by default in places, which reduces security.
Persistence & Privilege
The skill does not request always:true and uses normal MCP server constructs; autonomous invocation is allowed (platform default). There is no explicit request to persist across agents. However, server code (StdioServerTransport) and dotenv usage mean the skill may read local configuration and environment if executed—so run it in a restricted/sandboxed environment or confirm execution policy.
Scan Findings in Context
[hardcoded-credential-in-SKILL.md] unexpected: SKILL.md contains BasicAuth credentials (admin:MIma@sec2025) and internal IP (10.20.51.16). Hardcoded secrets in a skill are not expected and are a risk; credentials should be provided via secure env vars, not embedded in docs.
[fs-read-absolute-path] unexpected: custom_tools_server reads an absolute developer-local path to Api_5.3_schema_mini.yaml ('/Users/rizhiyi/Downloads/...'). A distributed skill should not rely on or attempt to read a developer's local filesystem path—this is incoherent and may indicate sloppy packaging or an attempt to access local files.
[dotenv-usage-and-unset-env-reads] expected: The code uses dotenv and reads LOGEASE_* env vars which is reasonable for configuring a client. However, the skill metadata declares no required env vars while the code expects them—this mismatch reduces transparency and is suspicious.
What to consider before installing
This package implements a LogEase search service and largely matches its claimed function, but there are several red flags: (1) SKILL.md contains a hardcoded internal IP and plaintext BasicAuth credentials — do NOT use those credentials in production or on sensitive agents. (2) The code tries to read a developer-local absolute path and .env files, so if the skill runs on your agent it may access local configuration. (3) Many runnable JS/Python files are bundled even though no install is declared. Before installing: verify the skill's provenance and ask the publisher why secrets and absolute paths are embedded; replace hardcoded credentials with secure env vars; run the skill in an isolated sandbox or test account; inspect and/or remove any code that reads local filesystem paths; if those hardcoded credentials were ever used in your network, rotate them. If you cannot verify the source and do not want internal network access from third-party code, avoid installing.
rizhiyi-mcp/dist/custom_tools_server.js:10
Environment variable access combined with network send.
rizhiyi-mcp/dist/openapi_server.js:11
Environment variable access combined with network send.
rizhiyi-mcp/src/custom_tools_server.ts:15
Environment variable access combined with network send.
rizhiyi-mcp/src/openapi_server.ts:16
Environment variable access combined with network send.
!
rizhiyi-mcp/dist/custom_tools_server.js:37
File read combined with network send (possible exfiltration).
!
rizhiyi-mcp/dist/openapi_server.js:37
File read combined with network send (possible exfiltration).
!
rizhiyi-mcp/src/custom_tools_server.ts:47
File read combined with network send (possible exfiltration).
!
rizhiyi-mcp/src/openapi_server.ts:47
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk971g1rns13ck048en2a52rz9183km90
89downloads
0stars
1versions
Updated 1mo ago
v1.1.0
MIT-0
@x1nq
latest
Download

日志易 (LogEase) 搜索工具

通过日志易平台搜索各类日志数据,支持安全告警分析、网络设备日志、系统日志等多种场景。

连接信息

  • API 地址: http://10.20.51.16
  • 认证方式: HTTP BasicAuth
  • 用户名: admin
  • 密码: MIma@sec2025
  • 搜索 API: GET /api/v3/search/sheets/
  • 索引: yotta(默认)

搜索脚本

  • 路径: scripts/logeasy_search.py
  • 用法: 
    python logeasy_search.py "query" --time 1h --limit 100
python logeasy_search.py "appname:sip alarm" --time 12h --limit 50
  • 参数: --time (1h/24h/7d/30m), --limit (条数,默认100), --index (默认yotta), --raw (原始JSON)

⚠️ 重要限制

时间格式

  • 唯一可用: time_range=now-1h,now(相对时间)
  • ❌ ISO格式 → 返回0条
  • ❌ 时间戳格式 → 返回0条

返回条数

  • API 硬限制返回 100 条(不管 limit 设多少)
  • 聚合查询(| top)不受 limit 限制,可统计全量分布
  • 统计用聚合,详情用原始查询(最多100条样本)

内容审核

  • 大量原始告警内容可能触发 data_inspection_failed 500 错误
  • 触发后减少单次查询的数据量或分批查询

已知日志源

日志源查询条件关键字段说明
SIP 态势感知appname:sipsip.attack_ip, sip.suffer_ip, sip.attack_type_name 等安全告警,详见 logeasy-sip skill
飞廉logtype:feilianfeilian.content.client_ip, feilian.content.connection_ipVPN/连接日志
H3C 交换机appname:switch tag:h3c_newbaseraw_message(非结构化)交换机 syslog
日志易自身appname:rizhiyiremote_addr系统日志
其他网络设备appname:switchraw_message各类交换机/路由器

查询模板

SIP 安全告警(用 logeasy-sip skill)

# 所有 SIP 告警
python logeasy_search.py "appname:sip alarm" --time 12h --limit 50

# 攻击成功的高危告警
python logeasy_search.py "appname:sip sip.attack_state:1" --time 1h --limit 20

H3C 交换机日志

# 所有 H3C 交换机日志
python logeasy_search.py "appname:switch tag:h3c_newbase" --time 12h --limit 100

# 特定告警类型(ARP冲突、风扇异常等)
python logeasy_search.py "appname:switch tag:h3c_newbase ARP_SENDER_IPCONFLICT" --time 12h --limit 20

# 特定设备
python logeasy_search.py "appname:switch tag:h3c_newbase hostname:10.5.1.43" --time 1h --limit 20

飞廉日志

# 飞廉连接日志
python logeasy_search.py "logtype:feilian" --time 1h --limit 20

# 特定客户端IP
python logeasy_search.py "logtype:feilian client_ip:10.45.123.44" --time 1h --limit 20

通用搜索

# 关键词搜索(全文匹配)
python logeasy_search.py "关键词" --time 1h --limit 20

# 按主机搜索
python logeasy_search.py "hostname:10.20.51.11" --time 1h --limit 20

# 字段搜索(部分字段支持)
python logeasy_search.py "appname:sip sip.suffer_ip:10.10.185.8" --time 1h --limit 20

聚合查询模板

聚合查询用于全量统计,不受 100 条限制:

# 按攻击类型分布
search("appname:sip sip.attack_type_name:* | top sip.attack_type_name", time_range="now-12h,now")

# 按主机分布
search("appname:switch tag:h3c_newbase hostname:* | top hostname", time_range="now-12h,now")

# 按日志级别分布
search("appname:switch tag:h3c_newbase %%*/*/* | ...", time_range="now-12h,now")

H3C 交换机日志分析要点

日志格式

<priority>Mar 25 11:45:52 2026 设备名 %%模块/级别/事件: 事件详情
  • priority: syslog 优先级
  • 设备名: 如 ITC-C15-U16-Border-Leaf-1DMZ-C13-U38-10G-ASW-2
  • 模块: 如 ARP(ARP事件)、DEV(设备)、SEC(安全)

常见告警类型

告警关键词严重度说明
ARP_SENDER_IPCONFLICT⚠️ 中ARP发送者IP冲突
DUPIFIP⚠️ 中重复地址检测
FAN_DIRECTION_NOT_PREFERREDℹ️ 低风扇方向非首选
LINK_UPDOWN⚠️ 中链路上下行变化
CPU_HIGH🔴 高CPU使用率过高

已知设备清单

  • 核心交换机:10.5.1.11(日志量最大)
  • 边界交换机:10.5.1.43(ITC-C15-U16-Border-Leaf-1)
  • DMZ 区域:10.5.1.51/52(DMZ-C12/C13)
  • STM 区域:10.5.2.23/24(STM-D01/D02)

Python 调用模板

import urllib.request, urllib.parse, json, sys, base64

sys.stdout.reconfigure(encoding='utf-8')

USER = 'admin'
PASS = 'MIma@sec2025'
CRED = base64.b64encode(f'{USER}:{PASS}'.encode()).decode()
HEADERS = {'Authorization': f'Basic {CRED}'}
BASE = 'http://10.20.51.16/api/v3/search/sheets/'

def search(query, time_range='now-1h,now', limit=100):
    """搜索日志"""
    url = f'{BASE}?query={urllib.parse.quote(query)}&time_range={urllib.parse.quote(time_range)}&index_name=yotta&limit={limit}'
    req = urllib.request.Request(url, headers=HEADERS)
    resp = urllib.request.urlopen(req, timeout=60)
    return json.loads(resp.read())

def count(query, time_range='now-1h,now'):
    """计数"""
    r = search(query, time_range, limit=1)
    return r.get('results', {}).get('total_hits', 0)

踩坑记录

  1. 字段搜索不一定有效: client_ip:10.x.x.x 这类字段搜索可能返回0条,用关键词搜索代替
  2. 搜索日志污染: 每次搜索操作会被日志易自身记录,大量搜索后分析需排除 appname:rizhiyi
  3. PowerShell 环境: 命令连接符用 ; 不要用 &&,多行代码写文件再执行
  4. event_type 字段不存在: SIP 日志没有结构化 event_type,用 alarm 关键字全文匹配
  5. 飞廉字段需前缀: 飞廉关键字段需要 feilian.content. 前缀,如 feilian.content.client_ip
  6. 攻击源IP字段: SIP 用 sip.attack_ip(不是 sip.ip,sip.ip 是探针自身IP)

Comments

Loading comments...